[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: TLS on W2K
Hi,
I've added in my client program the following:
rc = ldap_pvt_tls_set_option(NULL, = LDAP_OPT_X_TLS_CERTFILE, "C:\\LDAP\\cl_cert.pem");
if ( rc != LDAP_SUCCESS )
{
fprintf( stderr, = "Error Setting CERTFILE [%d]...\n", rc);
return(0);
= }
rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "C:\\LDAP\\cl_sk.pem");
if ( rc != LDAP_SUCCESS )
{
fprintf( stderr, = "Error Setting CERTFILE [%d]...\n", rc);
return(0);
= }
in the slapd.conf
#Enable = TLS/SSL
TLSCertificateFile /home/gvm/CA/users/ld_cert.pem
TLSCertificateKeyFile /home/gvm/CA/users/ld_sk.pem
TLSCACertificateFile /home/gvm/CA/cacert.pem
TLSVerifyClient 1
And everything seems to work!!!!
======> is it not = needed to specify the CA certificate at client side (to verify the servers certificate?)
======> but do you know where these 2 lines are = coming from?
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: = SSL_accept:error in SSLv3 read client certificate = A
======> and:
connection_read(10): input error=-2 id=0, = closing.
======> Does anyone has a clear descriptionn of = TLS
======> Can you combine the clients certificate with an ACL?
Regards,
slapd starting
connection_get(10): got connid=0
connection_read(10): = checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable)
send_ldap_extended 0: = (0)
send_ldap_response: msgid=1 tag=120 err=0
ber_flush: 14 bytes to sd = 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS = trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 = read client hello A
TLS trace: SSL_accept:SSLv3 write server hello = A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 = write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS = trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate = A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS = certificate verification: depth: 1, subject: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert Van Muylem/Email=GVM@HighSig= n.BE, issuer: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert = Van Muylem/Email=GVM@HighSig= n.BE
TLS certificate verification: depth: 0, subject: /C=BE/ST=Antwerpen/O=HighSign/CN=Client, issuer: /C=BE/ST=Antwerpen/L=Hoogstraten/O=HighSign/CN=Geert Van Muylem/Email=GVM@HighSig= n.BE
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: = SSL_accept:error in SSLv3 read client key exchange A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS = trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: = SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished = A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=0
connection_read(10): = checking for input on id=0
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
do_unbind
ber_get_next
ber_get_next on fd 10 failed = errno=104 (Connection reset by peer)
connection_read(10): input error=-2 = id=0, closing.
connection_closing: readying conn=0 sd=10 for close
connection_close: deferring conn=0 = sd=10
connection_resched: reaquiring locks conn=0 sd=10
connection_resched: attempting = closing conn=0 sd=10
connection_close: conn=0 sd=10
-----Original Message-----
From: Chapman, Kyle [mailto:Kyle_Chapman@G1.com]
Sent: woensdag 29 augustus 2001 = 2:37
To: 'Geert Van Muylem '
Subject: RE: TLS on W2K
yes, i think it can...
try this first and see what it does
ldap_pvt_tls_set_option(ld,LDAP_OPT_X_TLS_REQUIRE_CERT,"true")
you can also use:
LDAP_OPT_X_TLS_CACERFILE, LDAP_OPT_X_TLS_CACERTDIR,
LDAP_OPT_X_TLS_CERTFILE,
LDAP_OPT_X_TLS_KEYFILE,
but i havent done what you are trying to = do...
-----Original Message-----
From: Geert Van Muylem
To: Chapman, Kyle Sent: 8/28/01 8:06 PM
Subject: RE: = TLS on W2K
Thanks,
It seems to work now!
Is there = somewhere a description on how all these things are working?
And perhaps my most = important questions:
Can OpenLDAP be used to do Certificate-based client authentication?
Until now the client didn't send its certificate to the server to
identify itself.
If it's possible: = how do we need to set up things?
thanks again!!!!!
Your help is really appreciated!
Geert
-----Original Message-----
From: Chapman, Kyle [mailto:Kyle_Chapman@G1.com]
Sent: woensdag 29 augustus 2001 1:30 To: 'Geert Van Muylem '
Subject: = RE: TLS on W2K
can you do nslookup or ping dragon.doom.be? if = not put the entry in the
hosts file on your linux = and win2k box
-----Original Message-----
From: Geert Van Muylem
To: Chapman, Kyle Sent: 8/28/01 9:29 PM
Subject: RE: = TLS on W2K
Hi,
I've created a new certificate for my ldap server: CN = dragon.doom.be
O = HighSign
S = Antwerpen
C = BE
where cn=dragon.doom.be
with dragon = hostname and Domain name = doom.be
(These are my linux network settings)
I've still got the same errors:
what are the following lines:
TLS trace: SSL_accept:error in SSLv3 read client = certificate A
TLS trace: SSL_accept:error in SSLv3 read = client certificate A
gvm@dragon < mailto:gvm@dragon > :~ > = ldssld
Password:
@(#) = $OpenLDAP: slapd 2.0.11-Release (Mon Aug 13 23:12:15 CEST 2001) $ gvm@linux:/home/gvm/LDAP/OpenLDAP/openldap-2.0.11/servers/slapd
<
<>
>
daemon_init: listen on ldap://
daemon_init: listen on ldaps://
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap://)
daemon: socket() failed errno=97 (Address = family not supported by
protocol)
daemon: initialized ldap://
ldap_url_parse_ext(ldaps://)
daemon: socket() failed errno=97 (Address = family not supported by
protocol)
daemon: initialized ldaps://
daemon_init: 2 = listeners opened
slapd init: initiated server. Enter PEM pass phrase:
slapd = startup: initiated.
slapd starting
connection_get(10): got connid=0
connection_read(10): checking for input on id=0 ber_get_next
ber_get_next: tag 0x30 = len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate = A
connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS = trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=0
connection_read(10): checking for = "" on id=0
ber_get_next
ber_get_next on fd 10 failed errno=104 (Connection reset by peer) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10
-----Original Message-----
From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com=
= ]
Sent: woensdag 29 augustus 2001 0:11 To: 'Geert.Van.Muylem@SKYNET.BE'
Subject: RE: TLS on W2K
the common name should be: ldapserver.domain.name
where = domain.name is your domain name...
it it was us it would be: ldapserver.g1.com
you shouldnt need client certificates
-----Original Message-----
From: Geert Van Muylem [ mailto:Geert.Van.Muylem@SKYNET= .BE
]
Sent: Tuesday, August 28, 2001 6:00 PM
To: Chapman, Kyle
Subject: RE: TLS on W2K
with ssl certificate you mean the certificate for = "" LDAP Server
which is in my case cn=LDAP Server
Can you = give me an example (i'm lost...)
-----Original Message-----
From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com=
= ]
Sent: dinsdag 28 augustus 2001 23:42 To: 'Geert.Van.Muylem@skynet.be'
Subject: RE: TLS on W2K
when you created the ssl certificate, it asked you = for a common name...
you should make sure it is:
. and that = any machine , including the ldap server
itself, can = resolve the hostname/domain combo
-----Original Message-----
From: Geert Van Muylem [ mailto:Geert.Van.Muylem@skynet= .be
]
Sent: Tuesday, August 28, 2001 5:45 PM
To: Chapman, Kyle
Subject: RE: TLS on W2K
Thanks Kyle, but can you be a bit more specific?
I do not fully understand!
BTW This is my Servers = certificate (DER)
CN = LDAP Server, O = HighSign, S = = Antwerpen,C = BE
-----Original Message-----
From: Chapman, Kyle [ mailto:Kyle_Chapman@G1.com=
= ]
Sent: dinsdag 28 augustus 2001 23:26 To: 'Geert.Van.Muylem@skynet.be'
Subject: RE: TLS on W2K
the -2 error..
make sure the ssl cert's CN or common name you = entered is the FQDN of
the ldapserver...
-----Original Message-----
From: Geert Van Muylem [ mailto:Geert.Van.Muylem@skynet= .be
< mailto:Geert.Van.Muylem@skynet= .be
> ]
Sent: Tuesday, = August 28, 2001 5:21 PM
To: LDAP Mailing List Subject: TLS on W2K
Dear All,
Why do I get the following error (0x52)? (Platform: Client = W2K, Server = Linux)
START_TLS [Local error][0x52]...
ldap_start_tls: Success
=> Debug output from Server:
connection_get(10): got connid=0
connection_read(10): checking for input on id=0 ber_get_next
ber_get_next: tag 0x30 = len 29 contents:
do_extended
ber_scanf fmt ({a) ber:
ber_get_next
ber_get_next on fd 10 failed errno=11 = (Resource temporarily unavailable)
send_ldap_extended 0: (0)
send_ldap_response: msgid=1 tag=120 err=0 ber_flush: 14 bytes to sd 10
connection_get(10): got connid=0
connection_read(10): checking for input on id=0 TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write server done A TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate = A
connection_get(10): got connid=0 connection_read(10): checking for input on id=0 TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS = trace: SSL_accept:SSLv3 flush data
connection_get(10): got connid=0
connection_read(10): checking for = "" on id=0
ber_get_next
ber_get_next on fd 10 failed errno=104 (Connection reset by peer) connection_read(10): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=10 for close connection_close: conn=0 sd=10
=> Server slapd.conf
#Enable TLS/SSL
TLSCertificateFile /home/gvm/CA/users/ldapcert.pem
TLSCertificateKeyFile /home/gvm/CA/users/ldap.pem TLSCACertificateFile /home/gvm/CA/cacert.pem
=> Client code
printf ("INIT...\n");
ld = ldap_init("192.168.0.49", 389);
= if( ld == NULL )
{
printf ("Init Error...\n");
return(1);
}
if( ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version )
!=
LDAP_OPT_SUCCESS )
{
fprintf( stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n",
version );
return 1;
}
rc = ldap_pvt_tls_set_option(NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
"FILE.RND");
if ( rc != LDAP_SUCCESS )
{
fprintf( stderr, "Error = Setting option [%d]...\n", rc);
}
if ( (rc = ldap_start_tls_s( ld, = NULL, NULL )) != LDAP_SUCCESS )
{ fprintf( stderr, "START_TLS [%s][0x%02X]...\n",
ldap_err2string(rc),
rc);
ldap_perror( ld, = "ldap_start_tls");
}
return(0);
<>